[detaro]

4 and 5 should already be covered by your privacy policy, which you can point at or copy paste from. Yes, you need to have thought about this once, but you've done that once and not when a customer asks hopefully! Ecommerce even has easy answers for why and how it is processing data most of the time.

The logfiles argument is generally overblown: the process for someone to establish a valid request for that isn't that typically that easy, and in most cases has the simple solution to not keep logfiles with personal data for long if at all (e.g. many webhosts already will by default or as an option anonymize IPs in logs, and it's not all that difficult to implement in other cases).

For business data, yes, you need to be able to look up customers and what data they've given you - but which business application doesn't allow that already?

I don't want to say it's trivial, but small operations tend to also have a small surface for this, easy oversight over everything, and can get this in order with an initial effort to design privacy policies (and identifying and cleaning up places they maybe were negligent before) and prepare checklists that make handling requests easy. I know plenty small shops that have done this just fine.